cdrtz Posted September 22, 2015 Share Posted September 22, 2015 Hi, Looking around to solve some SMTP/IMAP connection problems I found the email configurations in the database. To my surprise I found that the password is not encrypted. If you are curious check the ps_configuration database table, entries with the name PS_SAV_IMAP_PWD and PS_MAIL_PASSWD, or, if you can access your database, just run these SQL queries: SELECT * FROM 'ps_configuration' WHERE 'name' LIKE '%PWD%' and SELECT * FROM 'ps_configuration' WHERE 'name' LIKE '%PASS%' If you are on the prestashop cloud then you are out of luck and you cannot acces the database. Moreover, if you look in the backoffice under Customers->Customer Service at the CUSTOMER SERVICE OPTIONS section the entry IMAP Password displays the password in clear right there, in the user interface. At least the entry for the SMTP settings under the Advanced Parameters->E-mail hides the password in the user interface. Thus anyone with a database access can read your email password(s). This might not seem like a big issue if you host your store locally and are the single person working on it and having access to the hosting. But what if your store is on a paid hosting, like I assume most of them are, or in the prestashop cloud? Then any hosting service admin has access to the clear password in the database. Or you might have multiple people working on the same store, each of them with different privilegies and access, and you might not share the email passwords with everyone that has cPanel/hosting access. Let's not talk about the situation when you do your best to set up different password for various accounts but then your email passwords are exposed in a prestashop hosting attack. To conclude, this is a very serious, overlooked security problem and I hope that the prestashop developers are aware of it and will solve it soon. That shouldn't be too hard as it looks like the user account passwords are stored encrypted. P.S.: If there is a hidden option somewhere to achieve email configuration password encryption please let me know. If that is the case, it shouldn't be an option. Link to comment Share on other sites More sharing options...
pedroserapio Posted December 8, 2015 Share Posted December 8, 2015 (edited) I also don't understand why this field it's almost open to everyone inside the BO. I created the following override in : /override/controllers/admin/AdminCustomerThreadsController.php with following content: class AdminCustomerThreadsController extends AdminCustomerThreadsControllerCore { public function __construct() { $this->bootstrap = true; $this->context = Context::getContext(); $this->table = 'customer_thread'; $this->className = 'CustomerThread'; $this->lang = false; $contact_array = array(); $contacts = Contact::getContacts($this->context->language->id); foreach ($contacts as $contact) { $contact_array[$contact['id_contact']] = $contact['name']; } $language_array = array(); $languages = Language::getLanguages(); foreach ($languages as $language) { $language_array[$language['id_lang']] = $language['name']; } $icon_array = array( 'open' => array('class' => 'icon-circle text-success', 'alt' => $this->l('Open')), 'closed' => array('class' => 'icon-circle text-danger', 'alt' => $this->l('Closed')), 'pending1' => array('class' => 'icon-circle text-warning', 'alt' => $this->l('Pending 1')), 'pending2' => array('class' => 'icon-circle text-warning', 'alt' => $this->l('Pending 2')), ); $status_array = array(); foreach ($icon_array as $k => $v) { $status_array[$k] = $v['alt']; } $this->fields_list = array( 'id_customer_thread' => array( 'title' => $this->l('ID'), 'align' => 'center', 'class' => 'fixed-width-xs' ), 'customer' => array( 'title' => $this->l('Customer'), 'filter_key' => 'customer', 'tmpTableFilter' => true, ), 'email' => array( 'title' => $this->l('Email'), 'filter_key' => 'a!email', ), 'contact' => array( 'title' => $this->l('Type'), 'type' => 'select', 'list' => $contact_array, 'filter_key' => 'cl!id_contact', 'filter_type' => 'int', ), 'language' => array( 'title' => $this->l('Language'), 'type' => 'select', 'list' => $language_array, 'filter_key' => 'l!id_lang', 'filter_type' => 'int', ), 'status' => array( 'title' => $this->l('Status'), 'type' => 'select', 'list' => $status_array, 'icon' => $icon_array, 'align' => 'center', 'filter_key' => 'a!status', 'filter_type' => 'string', ), 'employee' => array( 'title' => $this->l('Employee'), 'filter_key' => 'employee', 'tmpTableFilter' => true, ), 'messages' => array( 'title' => $this->l('Messages'), 'filter_key' => 'messages', 'tmpTableFilter' => true, 'maxlength' => 40, ), 'private' => array( 'title' => $this->l('Private'), 'type' => 'select', 'filter_key' => 'private', 'align' => 'center', 'cast' => 'intval', 'callback' => 'printOptinIcon', 'list' => array( '0' => $this->l('No'), '1' => $this->l('Yes') ) ), 'date_upd' => array( 'title' => $this->l('Last message'), 'havingFilter' => true, 'type' => 'datetime', ), ); $this->bulk_actions = array( 'delete' => array( 'text' => $this->l('Delete selected'), 'confirm' => $this->l('Delete selected items?'), 'icon' => 'icon-trash' ), ); $this->shopLinkType = 'shop'; $this->fields_options = array( 'contact' => array( 'title' => $this->l('Contact options'), 'fields' => array( 'PS_CUSTOMER_SERVICE_FILE_UPLOAD' => array( 'title' => $this->l('Allow file uploading'), 'hint' => $this->l('Allow customers to upload files using the contact page.'), 'type' => 'bool' ), 'PS_CUSTOMER_SERVICE_SIGNATURE' => array( 'title' => $this->l('Default message'), 'hint' => $this->l('Please fill out the message fields that appear by default when you answer a thread on the customer service page.'), 'type' => 'textareaLang', 'lang' => true ) ), 'submit' => array('title' => $this->l('Save')) ), 'general' => array( 'title' => $this->l('Customer service options'), 'fields' => array( 'PS_SAV_IMAP_URL' => array( 'title' => $this->l('IMAP URL'), 'hint' => $this->l('URL for your IMAP server (ie.: mail.server.com).'), 'type' => 'text' ), 'PS_SAV_IMAP_PORT' => array( 'title' => $this->l('IMAP port'), 'hint' => $this->l('Port to use to connect to your IMAP server.'), 'type' => 'text', 'defaultValue' => 143, ), 'PS_SAV_IMAP_USER' => array( 'title' => $this->l('IMAP user'), 'hint' => $this->l('User to use to connect to your IMAP server.'), 'type' => 'text' ), 'PS_SAV_IMAP_PWD' => array( 'title' => $this->l('IMAP password'), 'hint' => $this->l('Password to use to connect your IMAP server.'), 'validation' => 'isAnything', 'type' => 'password', 'autocomplete' => false ), 'PS_SAV_IMAP_DELETE_MSG' => array( 'title' => $this->l('Delete messages'), 'hint' => $this->l('Delete messages after synchronization. If you do not enable this option, the synchronization will take more time.'), 'type' => 'bool', ), 'PS_SAV_IMAP_CREATE_THREADS' => array( 'title' => $this->l('Create new threads'), 'hint' => $this->l('Create new threads for unrecognized emails.'), 'type' => 'bool', ), 'PS_SAV_IMAP_OPT_NORSH' => array( 'title' => $this->l('IMAP options').' (/norsh)', 'type' => 'bool', 'hint' => $this->l('Do not use RSH or SSH to establish a preauthenticated IMAP sessions.'), ), 'PS_SAV_IMAP_OPT_SSL' => array( 'title' => $this->l('IMAP options').' (/ssl)', 'type' => 'bool', 'hint' => $this->l('Use the Secure Socket Layer (TLS/SSL) to encrypt the session.'), ), 'PS_SAV_IMAP_OPT_VALIDATE-CERT' => array( 'title' => $this->l('IMAP options').' (/validate-cert)', 'type' => 'bool', 'hint' => $this->l('Validate certificates from the TLS/SSL server.'), ), 'PS_SAV_IMAP_OPT_NOVALIDATE-CERT' => array( 'title' => $this->l('IMAP options').' (/novalidate-cert)', 'type' => 'bool', 'hint' => $this->l('Do not validate certificates from the TLS/SSL server. This is only needed if a server uses self-signed certificates.'), ), 'PS_SAV_IMAP_OPT_TLS' => array( 'title' => $this->l('IMAP options').' (/tls)', 'type' => 'bool', 'hint' => $this->l('Force use of start-TLS to encrypt the session, and reject connection to servers that do not support it.'), ), 'PS_SAV_IMAP_OPT_NOTLS' => array( 'title' => $this->l('IMAP options').' (/notls)', 'type' => 'bool', 'hint' => $this->l('Do not use start-TLS to encrypt the session, even with servers that support it.'), ), ), 'submit' => array('title' => $this->l('Save')), ), ); return AdminController::__construct(); } } After upload the override, I cleared the cache in Advanced Parameters -> Performance -> Clear cache If doesn't apply, delete manually the files inside /cache/smarty/cache , /cache/smarty/compile and /cache/class_index.php Do not delete the index.php files. Parts modified: 'PS_SAV_IMAP_PWD' => array( 'title' => $this->l('IMAP password'), 'hint' => $this->l('Password to use to connect your IMAP server.'), 'validation' => 'isAnything', 'type' => 'password', 'autocomplete' => false return AdminController::__construct(); Edited December 8, 2015 by pedroserapio (see edit history) 1 Link to comment Share on other sites More sharing options...
bellini13 Posted December 8, 2015 Share Posted December 8, 2015 (edited) To conclude, this is a very serious, overlooked security problem and I hope that the prestashop developers are aware of it and will solve it soon. That shouldn't be too hard as it looks like the user account passwords are stored encrypted. P.S.: If there is a hidden option somewhere to achieve email configuration password encryption please let me know. If that is the case, it shouldn't be an option. Customer and Employee passwords are stored using a one way encryption (its an m5d hash of the password value). This means they are never actually decrypted, since they cannot be. When a customer/employee tries to log on, the password they provide is encrypted using the one way algorithm, and then compared to the encrypted value in the database. If the 2 encrypted values match, then they log on. That is very different from what has to occur with the SMTP password. Since the original un-encrypted SMTP password has to be sent to the SMTP gateway, it cannot be encrypted using a one way algorithm since it cannot be decrypted to be sent. So the solution would be to actually implement a 2 way encryption algorithm, which also means managing a public/private key. It also requires software is installed to manage it. Something Prestashop cannot guarantee would exist on everybody's server. So if you would like PS to address this, then you would have to create a Forge ticket so they will become aware, and possibly enhance their software in the future. They will not view this as a defect, since it has worked this way since Day 1. The alternative is to develop the solution yourself and optionally commit that to their github as a contribution. Edited December 8, 2015 by bellini13 (see edit history) Link to comment Share on other sites More sharing options...
AFCNeo Posted July 18, 2016 Share Posted July 18, 2016 I'm using the Prestashop version 1.6.1.4 and there is still this problem, the question of IMAP Password be fully visible in the Backoffice is a very serious error. Thanks pedroserapio for your suggestion, it worked perfectly. Link to comment Share on other sites More sharing options...
OdeChan Posted August 27, 2020 Share Posted August 27, 2020 5 years later, we're at version 1.7.6.7, and this is still an issue. Why? Link to comment Share on other sites More sharing options...
Kaper Posted May 5, 2021 Share Posted May 5, 2021 This is just INSANE ... Link to comment Share on other sites More sharing options...
Gipielle Posted August 29, 2022 Share Posted August 29, 2022 This is the response to my email send in May 2022 at [email protected] Dear Betafer, Thank you for your report. You are right, this credential should be encrypted, this would be safer. I will make sure this is carried out soon to make the software more secure. Best regards, we are in August 2022 and we have installed ps 1.7.8.7 and the security problem is still there Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now